OPK v17.1.1
This release fixes a flaw in the OPK code that could allow content that requires HDCP 2 to output over a display connection that only supports HDCP 1. This bug would only be triggered if the WTPI implementation reports the minor version number of HDCP 1 connections. If your implementation of WTPI_CurrentHDCPCapability() ever returns HDCP_V1_0, HDCP_V1_1, HDCP_V1_2, HDCP_V1_3, or HDCP_V1_4, your device is vulnerable and you should take this patch urgently. If your implementation of WTPI_CurrentHDCPCapability() only ever returns HDCP_V1 for HDCP 1 connections or does not support HDCP 1, then your device is not affected. This release also fixes an incorrect version number in ODK.
This commit is contained in:
John "Juce" Bruce
16
CHANGELOG.md
16
CHANGELOG.md
@@ -2,6 +2,21 @@
|
||||
|
||||
[TOC]
|
||||
|
||||
## [OPK Version 17.1.1][v17.1+opk-v17.1.1]
|
||||
|
||||
This release fixes a flaw in the OPK code that could allow content that requires
|
||||
HDCP 2 to output over a display connection that only supports HDCP 1. This bug
|
||||
would only be triggered if the WTPI implementation reports the minor version
|
||||
number of HDCP 1 connections. If your implementation of
|
||||
`WTPI_CurrentHDCPCapability()` ever returns `HDCP_V1_0`, `HDCP_V1_1`,
|
||||
`HDCP_V1_2`, `HDCP_V1_3`, or `HDCP_V1_4`, your device is vulnerable and you
|
||||
should take this patch urgently. If your implementation of
|
||||
`WTPI_CurrentHDCPCapability()` only ever returns `HDCP_V1` for HDCP 1
|
||||
connections or does not support HDCP 1, then your device is not affected. You
|
||||
will not need to change your WTPI implementation to apply this patch.
|
||||
|
||||
This release also fixes the value of `maximum_minor_version` in ODK.
|
||||
|
||||
## [Version 17.1][v17.1]
|
||||
|
||||
This release contains a major change to the build process for the OP-TEE port,
|
||||
@@ -163,3 +178,4 @@ Public release for OEMCrypto API and ODK library version 16.4.
|
||||
[v17+test-updates+opk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk
|
||||
[v17+test-updates+opk+mk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk+mk
|
||||
[v17.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1
|
||||
[v17.1+opk-v17.1.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1+opk-v17.1.1
|
||||
|
||||
@@ -28,7 +28,7 @@ struct CoreMessageFeatures {
|
||||
// number. The default is 16.5, the last version used by Chrome. This will
|
||||
// change to 17.0 when v17 has been released.
|
||||
uint32_t maximum_major_version = 17;
|
||||
uint32_t maximum_minor_version = 0;
|
||||
uint32_t maximum_minor_version = 1;
|
||||
|
||||
bool operator==(const CoreMessageFeatures &other) const;
|
||||
bool operator!=(const CoreMessageFeatures &other) const {
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
#include "oemcrypto_session.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "odk.h"
|
||||
@@ -1053,6 +1054,45 @@ OEMCryptoResult OPKI_GetKeyControlBlock(
|
||||
return OEMCrypto_SUCCESS;
|
||||
}
|
||||
|
||||
static bool PrioritizeHdcpLevel(OEMCrypto_HDCP_Capability level,
|
||||
uint8_t* priority) {
|
||||
// Since OEMCrypto_HDCP_Capability is no longer sorted, we need to convert all
|
||||
// values to a sorted priority so we can efficiently compare them.
|
||||
//
|
||||
// If new enum values are added to OEMCrypto_HDCP_Capability, we'll have to
|
||||
// add them to this function. Since OEMCrypto_HDCP_Capability is no longer
|
||||
// sorted, we cannot assume we know how to handle new values.
|
||||
if (level == HDCP_NONE || level == HDCP_V1 ||
|
||||
level == HDCP_NO_DIGITAL_OUTPUT) {
|
||||
*priority = (uint8_t)level;
|
||||
return true;
|
||||
} else if (level >= HDCP_V2 && level <= HDCP_V2_3) {
|
||||
*priority = (uint8_t)level + 5;
|
||||
return true;
|
||||
} else if (level >= HDCP_V1_0 && level <= HDCP_V1_4) {
|
||||
*priority = (uint8_t)level - 4;
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
static bool IsHdcpLevelSufficient(OEMCrypto_HDCP_Capability required,
|
||||
OEMCrypto_HDCP_Capability current) {
|
||||
uint8_t required_priority = 0;
|
||||
if (!PrioritizeHdcpLevel(required, &required_priority)) {
|
||||
LOGE("Unrecognized HDCP requirement %u", required);
|
||||
return false;
|
||||
}
|
||||
uint8_t current_priority = 0;
|
||||
if (!PrioritizeHdcpLevel(current, ¤t_priority)) {
|
||||
LOGE("Unrecognized current HDCP level %u", current);
|
||||
return false;
|
||||
}
|
||||
|
||||
return current_priority >= required_priority;
|
||||
}
|
||||
|
||||
OEMCryptoResult OPKI_CheckCurrentContentKeyUsage(
|
||||
OEMCryptoSession* session, OEMCryptoEntitledKeySession* key_session,
|
||||
uint32_t use_type, OPK_OutputBuffer_Type buffer_type) {
|
||||
@@ -1096,7 +1136,8 @@ OEMCryptoResult OPKI_CheckCurrentContentKeyUsage(
|
||||
const uint8_t required_hdcp =
|
||||
(control.control_bits & CONTROL_HDCP_VERSION_MASK) >>
|
||||
CONTROL_HDCP_VERSION_SHIFT;
|
||||
if (required_hdcp > capability || capability == HDCP_NONE) {
|
||||
if (!IsHdcpLevelSufficient(required_hdcp, capability) ||
|
||||
capability == HDCP_NONE) {
|
||||
return OEMCrypto_ERROR_INSUFFICIENT_HDCP;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user